It can often be overwhelming to start working with a new starter project. If you provide us with some details about your project, we can generate a baseline configuration for deployment to AWS.

The following properties are required for general project configuration:

  • Project Name: A name for this project.
  • Deployment: Choose if you want to use the configuration tool to configure production or development infrastructure. At this point, the configuration tool only supports definition of either production or development infrastructure. However, after you download your project, you can configure unlimited additional deployment configurations (for example if you choose to define development infrastructure now, you can define production infrastructure later).
  • AWS Region: The AWS region infrastructure that your project should be deployed to.

AWS Configuration

Goldstack provides ready-made scripts to deploy your infrastructure to AWS. You can supply AWS credentials during project configuration that will be included in your downloaded package. By default, these will not be committed to source control.

However, there are many other ways in which AWS user credentials can be supplied for Goldstack, so providing the details during project configuration is optional. It is only recommended to do so for development systems.

If you do not know how to get the Access Key ID and Secret Access Key, please find instructions here.

How to get AWS Credentials

The easiest way to configure the AWS user for Goldstack is to do it during project setup by providing an AWS Access Key Id and AWS Secret Access Key. To obtain these, please do the following:

Add User in AWS console

  • Provide a username of your choice, for instance 'goldstack-local-dev'
  • Select the Access Type Programmatic Access

Provide user details

  • Click on the button Next: Permissions
  • Select Attach existing policies directly
  • Select the Policy Administrator Access

Select permissions

  • Click on the button Next: Tags
  • You do not have to add any tags, just click Next: Review
  • On the review page click Create User

Now you can copy the Access Key ID and add it to the Goldstack configuration form. Do the same with the Secret Access Key (It can be shown by clicking on Show).

Obtain access keys

Note that it is recommended to only provide this key and secret for development systems (and prototype/hobby production systems). For all other systems, it is recommended to provide this key and secret only through environment variables (see below).

Credentials in Config File

AWS credentials can be configured during project set up. However if you do not want to provide your credentials in the configuration tool or you want to change them later, they can be configured through a configuration file. This file can be found under the following paths:


The configuration file can have contents as follows:

  "users": [
      "name": "dev-user",
      "type": "apiKey",
      "config": {
        "awsAccessKeyId": "[Your Access Key ID]",
        "awsSecretAccessKey": "[Your Secret Access Key]",
        "awsDefaultRegion": "[Region for user]"
      "name": "prod-user",
      "type": "apiKey",
      "config": {
        "awsAccessKeyId": "[Your Access Key ID]",
        "awsSecretAccessKey": "[Your Secret Access Key]",
        "awsDefaultRegion": "[Region for user]"

Make sure that the "name" property matches the "awsUser" of module deployments for which the user should be used. There is no limit to how many users you can define.

Note that we recommend that this file is not checked into source control. By default, there is a .gitignore file present in the config/infra/aws folder that will prevent this file from being checked into git.

If you want to supply AWS user credentials in your CI/CD systems, these can be supplied using environment variables.

Credentials in Environment Variables

Goldstack can read AWS Access Key ID and Secret Access Key from environment variables. The easiest way is to set the following environment variables:

AWS_USER_NAME: [Your user name]
AWS_ACCESS_KEY_ID: [Your access key id]
AWS_SECRET_ACCESS_KEY: [Your secret access key]

The AWS_USER_NAME variable is optional but can be useful for explicitly referencing the correct Goldstack user in deployments. The above setup is particularly useful for CI/CD environments. For instance, when using GitHub Actions, environment variables could be configured as follows:

- name: Deploy UI
  run: |
    yarn workspace my-ui deploy dev
    AWS_USER_NAME: dev-user
    AWS_DEFAULT_REGION: us-west-2

Where the values of the environment variables are defined in GitHub Secrets.

Hosted Zone Configuration

Many modules need to deploy resources to a domain, for instance for a static website or for an API server. Goldstack modules can provide the DNS configuration required but you need to specify the Route 53 hosted zone that the DNS entries should be added to. You can either use an already existing hosted zone or create a new one.

Creating a new hosted zone

The following steps describe how to create a new hosted zone in AWS Route 53.

Create hosted zone

  • Provide the name of a domain you own (or a subdomain of a domain you own) and click Create hosted zone.

Provide hosted zone details

  • If you haven't registered your domain through Route 53, configure your domain with your domain registrar to use the nameservers Route 53 lists for your domain.

Provide hosted zone details

Now you can copy the domain name of your hosted zone and provide this in your module configuration

Domain name to be used for module configuration

Note that for the actual domain your module uses, you can specify the domain name of the hosted zone directly, or one of it's subdomains. For instance, if your hosted zone domain is you can configure a website module to be deployed to or

You can use the same hosted zone for multiple modules. Just make sure to use subdomains to avoid conflicts between modules. For instance, if you configure a website to be deployed to then deploy your API to

Using an existing hosted zone

If you already have a hosted zone configured for the domain you would like to use for your module, you simply need to provide the domain of the hosted zone.

  • You can find all hosted zones you have configured in the Route 53 Console
  • Copy the value provided under Domain name and provide this in your module configuration

Determining domain name from hosted zone list


All Goldstack templates contain Terraform Infrastructure as Code definitions. Goldstack provides easy tooling to stand up this infrastructure. Terraform will use the AWS credentials configured as per the instructions above.

All state will be stored in Terraform S3 remote state using DynamoDB locking. Goldstack will automatically create a bucket for storing the state in the same AWS account that the infrastructure is deployed to (thus being able to use the same AWS credentials).

During standing up the infrastructure for the first package of a project, Goldstack will create the config/infra/aws/terraform.json file that contains the S3 bucket and DynamoDB table for all packages deployed to a respective AWS account. Below an example terraform.json file.

  "remoteState": [
      "user": "dev",
      "terraformStateBucket": "goldstack-tfstate-67a73e60720c25855a39baeb1218b55229578671",
      "terraformStateDynamoDBTable": "goldstack-tfstate-a82076777995c7254fbcae1f9e8013fee75833f2-lock"
      "user": "prod",
      "terraformStateBucket": "goldstack-tfstate-0cb1a35a83c9c952321ee4addbe76d096b031d47",
      "terraformStateDynamoDBTable": "goldstack-tfstate-0cb1a35a83c9c957772ee4addbe76d096b031d47-lock"

To prevent Goldstack from auto-generating the bucket and table names, provide a terraform.json file before standing up the infrastructure for your first package. Goldstack will create bucket and table using the names you specify then. Also, if you have special requirements for your bucket and table, you can create these before standing up the infrastructure with Goldstack. You only need to ensure that the bucket and table fulfil the requirements of Terraform for storing its remote state.

All packages included in a project will use the same bucket and DynamoDB table. The name of the state file will be defined in the goldstack.json file within each package.

  "$schema": "./schemas/package.schema.json",
  "name": "mypackage",
  "deployments": [
      "name": "dev",
      "tfStateKey": "mypackage-dev-f53056a8788c8eb7a1ac.tfstate"

If the tfStateKey property is defined before running yarn infra init [deployment], Goldstack will use the name specified as key for the state in bucket and DynamoDB table. If the tfStateKey property is not defined, a name will be generated and goldstack.json updated.

Ensure that after standing up infrastructure for the first time to commit and push changes to your project, since Goldstack will update goldstack.json config and the config/infra/aws/terraform.json config. This is only required for initialising the infrastructure for each package and target AWS account (and if you do not provide the names for bucket, table and state files manually). For subsequent updates to the infrastructure it is not necessary to update the source files.

© 2021 Pureleap Pty. Ltd. and Contributors